b'\x0c     USDA\n                           UNITED STATES DEPARTMENT               OF AGRICUL TURE\n\n                                        OFFICE OF INSPECTOR     GENERAL\n\n                                             Washington   D.C. 20250\n\n\n\n\n    DATE\'           DEC   2 6    2002\n\n\n    REPL y TO\n    ATTN OF:       06401-15-FM\n\n    SUBJECT:       u.s. Department of Agriculture\n                   Commodity Credit Corporation\'s Financial Statements for\n                   Fiscal Year 2002\n\n    TO             Board of Directors\n                   Commodity Credit Corporation\n\n    ATTN\'          Kristine Chadwick\n                   Controller\n                   Commodity Credit Corporation\n\n    The report presents the auditors\' opinion on the Commodity Credit Corporation\'s (CCC)\n    principal financial statements for the fiscal year ending September 30, 2002. Reports\n    on CCC\'s internal controls structure and its compliance with laws and regulations are\n    also provided.\n\n    KPMG Peat Marwick LLP, an independent         certified public accounting   firm, conducted\n    the audit. We monitored    the progress of the audit at all key points, reviewed the\n    workpapers,    and performed     other procedures,     as we deemed       necessary.     We\n    determined the audit was conducted      in accordance    with generally accepted auditing\n    standards, Government    Auditing Standard~ (issued by the Comptroller        General of the\n    United States), and the Office of Management       and Budget\'s Bulletin No.01-02,    "Audit\n    Requirements for Federal Financial Statements."\n\n    It is the opinion of KPMG Peat Marwick LLP, that the financial statements present fairly,\n    in all material respects, CCC\'s financial position as of September 30, 2002, and its net\n    costs, changes in net position, budgetary resources, and reconciliation of net costs to\n    budgetary obligations for the year then ended, in conformity with generally accepted\n    accounting principles. We concur with that opinion. The KPMG Peat Marwick LLP\n    report on CCC\' s internal control structure over financial reporting identified five\n    reportable conditions that it also considered material weaknesses. Specifically, KPMG\n    identified material weaknesses in CCC\'s:\n\n       .    Information security controls;\n       .    Financial system functionality and related processes;\n\n\n\n\n~\n\x0c    .   Funds control mechanisms;\n    .   Financial accounting and reporting processes and procedures; and\n    .   Budgetary accounting and reporting policies and procedures.\n\nThe results of KPMG\'s tests of compliance with laws and regulations            disclosed\ninstances of noncompliance with the laws and regulations identified below:\n\n        The   Computer Security Act of 1987;\n   .    The   Government     Information Security Reform Act;\n        The   Debt Collection Improvement Act of 1996; and\n   .    The   Federal Financial Management       Improvement  Act of 1996,\n\nIn accordance with Departmental    Regulation  1720-1, please furnish a reply within 60\ndays describing the corrective actions taken or planned, including the timeframes      to\naddress   the reports\'  recommendations.      Please   note the regulation   requires   a\nmanagement     decision to be reached on all findings and recommendation        within a\nmaximum of 6 months from report issuance.\n\n\n\n   ?-~/                     )) ,\nRICHARD D. LONG                      ~\n\nAssistant Inspector General\n  for Audit\n\x0c                      UNITED STATES DEPARTMENT OF AGRICULTURE\n                           COMMODITY CREDIT CORPORATION\n                                             September 30, 2002\n\n\n                                              Table of Contents\n\n\n\n\nIndependent Auditors\' Report\n\n    Exhibit 1- Material Weakness\n\n   Exhibit 2- Management\'s      Response to Findings Contained in the Independent\n   Auditors\' Report\n\n\nConsolidated Financial Statements\n\n   Management\'s Discussion and Analysis\n\n   Consolidated Financial Statements\n\n   Notes to the Consolidated Financial Statements\n\n\nRequired Supplementary Stewardship Information (Unaudited)\n\n   Schedule I -Wetlands     Reserve Program\n\n\nRequired Supplementary Information (Unaudited)\n\n   Schedule 2- Supporting Schedule to the Combined Statement of Budgetary\n   Resources\n\n   Schedule 3 -Intergovernmental      Amounts\n\n\nOther Accompanying fufonnation (Unaudited)\n\n   Schedule 4 -Change     in Inventory,   By Commodity\n\n   Schedule 5- Supporting Schedule to the Consolidated     Statement of Net Cost\n\x0cINDEPENDENT AUDITORS\' REPORT\n\x0c                   2001 M Street, NW\n                   Washington, DC 20036\n\n\n\n\n                                                    Independent Auditors\xe2\x80\x99 Report\n\n\nTo the Inspector General\nU.S. Department of Agriculture\n\nTo Commodity Credit Corporation\n\nWe have audited the accompanying consolidated balance sheet of the Commodity Credit Corporation\n(CCC) as of September 30, 2002, and the related consolidated statements of net cost, changes in net\nposition and financing; and the combined statement of budgetary resources (hereinafter referred to as the\n\xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for the year then ended. The objective of our audit was to express an\nopinion on the fair presentation of these consolidated financial statements.\n\nThe financial statements of CCC as of September 30, 2001 were audited by the U.S. Department of\nAgriculture, Office of Inspector General (OIG) whose report, dated February 26, 2002, expressed an\nunqualified opinion on the consolidated balance sheet, statement of net cost, and statement of changes in\nnet position, and a disclaimer of opinion on the combining statements of budgetary resources and\nfinancing, because CCC was not able to provide sufficient and competent evidential matter to support\nmaterial line items on those statements.\n\nIn connection with our audit, we also considered CCC\xe2\x80\x99s internal control over financial reporting and\ntested CCC\xe2\x80\x99s compliance with certain provisions of applicable laws and regulations that could have a\ndirect and material effect on its consolidated financial statements.\n\nSUMMARY\n\nAs stated in our opinion on the consolidated financial statements, we concluded that CCC\xe2\x80\x99s consolidated\nfinancial statements as of and for the year ended September 30, 2002, are presented fairly, in all material\nrespects, in conformity with accounting principles generally accepted in the United States of America.\n\nOur consideration of internal control over financial reporting resulted in the following conditions being\nidentified as reportable conditions:\n\n\xc2\x84   Improvement needed in information security controls;\n\xc2\x84   Improvement needed in financial system functionality and related processes;\n\xc2\x84   Improvement needed in funds control mechanisms;\n\xc2\x84   Improvement needed in financial accounting and reporting policies and procedures; and\n\xc2\x84   Improvement needed in budgetary accounting and reporting policies and procedures.\n\n\n                  KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n                  a member of KPMG International, a Swiss association.\n\x0cWe consider all of the reportable conditions above to be material weaknesses. The results of our tests of\ncompliance with certain provisions of laws and regulations disclosed instances of noncompliance with the\nfollowing laws and regulations that are required to be reported under Government Auditing Standards,\nissued by the Comptroller General of the United States, and Office of Management and Budget (OMB)\nBulletin No. 01-02, Audit Requirements for Federal Financial Statements:\n\n\xc2\x84   Computer Security Act of 1987 and Government Information Security Reform Act (GISRA);\n\xc2\x84   Debt Collection Improvement Act of 1996; and\n\xc2\x84   Federal Financial Management Improvement Act of 1996 (FFMIA).\n\nThe following sections discuss our opinion on CCC\xe2\x80\x99s consolidated financial statements, our consideration\nof CCC\xe2\x80\x99s internal control over financial reporting, our tests of CCC\xe2\x80\x99s compliance with certain provisions\nof applicable laws and regulations, and management\xe2\x80\x99s and our responsibilities.\n\nOPINION ON THE CONSOLIDATED FINANCIAL STATEMENTS\n\nWe have audited the accompanying consolidated balance sheet of the Commodity Credit Corporation as\nof September 30, 2002, and the related consolidated statements of net cost, changes in net position and\nfinancing; and the combined statement of budgetary resources, for the year then ended.\n\nThe financial statements of CCC as of September 30, 2001 were audited by the U.S. Department of\nAgriculture, Office of Inspector General whose report, dated February 26, 2002, expressed an unqualified\nopinion on the consolidated balance sheet, statement of net cost, and statement of changes in net position,\nand a disclaimer of opinion on the combining statements of budgetary resources and financing because\nCCC was not able to provide sufficient and competent evidential matter to support material line items on\nthose statements.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of CCC as of September 30, 2002, its net costs, changes in net position,\nreconciliation of net costs to budgetary obligations, and budgetary resources, for the year then ended, in\nconformity with accounting principles generally accepted in the United States of America.\n\nThe information in the Management\xe2\x80\x99s Discussion and Analysis, Required Supplementary Stewardship\nInformation and Required Supplementary Information sections is not a required part of the consolidated\nfinancial statements, but is supplementary information required by accounting principles generally\naccepted in the United States of America or OMB Bulletin No. 01-09, Form and Content of Agency\nFinancial Statements. We have applied certain limited procedures, which consisted principally of\ninquiries of management regarding the methods of measurement and presentation of this information.\nHowever, we did not audit this information and, accordingly, we express no opinion on it.\n\nOur audit was conducted for the purpose of forming an opinion on the consolidated financial statements\ntaken as a whole. The Other Accompanying Information included in Schedules 4 and 5 is presented for\npurposes of additional analysis and is not a required part of the consolidated financial statements. We did\nnot audit this information and, accordingly, we express no opinion on it..\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nOur consideration of internal control over financial reporting would not necessarily disclose all matters in\nthe internal control over financial reporting that might be reportable conditions. Under standards issued by\nthe American Institute of Certified Public Accountants, reportable conditions are matters coming to our\n\n\n                                                 2                           Independent Auditors\xe2\x80\x99 Report\n\x0cattention relating to significant deficiencies in the design or operation of the internal control over financial\nreporting that, in our judgment, could adversely affect CCC\xe2\x80\x99s ability to record, process, summarize, and\nreport financial data consistent with the assertions by management in the consolidated financial\nstatements.\n\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of the\ninternal control components does not reduce to a relatively low level the risk that misstatements, in\namounts that would be material in relation to the consolidated financial statements being audited, may\noccur and not be detected within a timely period by employees in the normal course of performing their\nassigned functions.\n\nIn our fiscal year 2002 audit, we noted certain matters, described in Exhibit 1, involving internal control\nover financial reporting and its operation that we consider to be reportable conditions. We believe that all\nof the reportable conditions presented in Exhibit 1 are material weaknesses. Certain matters noted in\nExhibit 1 were not reported by CCC in its fiscal year 2002 internal control self assessment, conducted\nunder the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA).\n\n\n                                             * * * * *\n\nWe also noted other matters involving internal control over financial reporting and its operation that we\nhave reported to the management of CCC in a separate letter dated December 13, 2002.\n\nCOMPLIANCE WITH LAWS AND REGULATIONS\n\nOur tests of compliance with certain provisions of laws and regulations, as described in the\nResponsibilities section of this report, exclusive of the FFMIA, disclosed two instances of noncompliance\nwith the following laws and regulations that are required to be reported under Government Auditing\nStandards and OMB Bulletin No. 01-02, and are described below.\n\nComputer Security Act of 1987 and GISRA. The Computer Security Act of 1987, requires that Federal\nagencies implement acceptable information security practices, such as mandatory periodic training for all\nsystem users, to improve the security and privacy of sensitive information maintained in Federal computer\nsystems. More recently, GISRA was passed as part of the Defense Authorization Act of 2000, and\nmandates that Federal agencies implement processes and controls to maintain an effective information\nsecurity program, including planning, risk assessment, training, and evaluations in such a manner to\ncomply with policy guidance contained in OMB Circular A-130, Management of Federal Information\nResources. We noted that the Farm Service Agency (FSA)/CCC needs to improve its level of compliance\nwith the Computer Security Act and GISRA by implementing additional controls and processes\nsupporting its entity wide security program and operating device security. These matters are described in\nExhibit 1.\n\nDebt Collection Improvement Act. The Debt Collection Improvement Act of 1996 (DCIA) is intended to\nsignificantly enhance the Federal Government\xe2\x80\x99s ability to service and collect debts. Under the DCIA,\nTreasury assumes a significant role for improving government-wide receivables management. The DCIA\nrequires Federal agencies to refer eligible delinquent non-tax debts over 180 days to U.S. Treasury for the\npurpose of collection by cross-servicing or the offset program. The results of our tests of compliance with\nDCIA disclosed instances where CCC was not in compliance with certain provisions of the Act.\nSpecifically, we noted that some eligible debts were not forwarded to Treasury for cross-servicing or the\noffset program. These matters are described in Exhibit 1.\n\n\n\n                                                  3                             Independent Auditors\xe2\x80\x99 Report\n\x0cThe results of our tests of compliance with other laws and regulations, exclusive of FFMIA, disclosed no\ninstances of noncompliance that are required to be reported under Government Auditing Standards or\nOMB Bulletin No. 01-02.\n\n\n                                            * * * * *\n\nFFMIA. The results of our tests of FFMIA disclosed instances, described in detail in Exhibit 1, where\nFSA/CCC\xe2\x80\x99s financial management systems, did not substantially comply with Federal financial\nmanagement systems requirements, Federal accounting standards, or the United States Government\nStandard General Ledger at the transaction level.\n\nFFMIA mandates that Federal financial management be advanced by ensuring that Federal financial\nmanagement systems can and do provide reliable, consistent disclosure of financial data, and that they do\nso on a basis that is uniform across the Federal government from year to year consistently using\naccounting principles generally accepted in the United States of America. Federal agencies need to\ncomply with FFMIA by adhering to policies established by OMB, such as OMB Circular A-127,\nFinancial Management Systems, and OMB Circular A-130.\n\nA summary of the instances of FFMIA non-compliance noted in Exhibit 1 follow:\n\n\xc2\x84   FFMIA requires that Federal agencies implement information security controls and contingency\n    planning capabilities in accordance with OMB Circular A-130. As noted above, FSA/CCC needs to\n    improve in these areas to be in compliance with Circular A-130.\n\n\xc2\x84   FFMIA requires that Federal agencies implement financial systems controls in accordance with OMB\n    Circular A-127. We noted several areas where FSA/CCC can improve the controls and processes over\n    financial systems to better comply with Circular A-127. For example, interfaces between FSA/CCC\xe2\x80\x99s\n    core financial system and financial feeder systems can be improved to provide for more efficient\n    financial processing; the level of training for financial management systems users can be improved.\n\n\xc2\x84   FFMIA requires that Federal agencies\xe2\x80\x99 comply with the Federal accounting standards using the United\n    States Government Standard General Ledger at the transaction level. We noted that CCC\xe2\x80\x99s financial\n    systems and processes for posting transactions can be improved. For example, we noted that\n    budgetary entries recorded for cash collections from inventory sales were recorded incorrectly, as the\n    program code used to record collections for certain types of inventory sales posted an expenditure\n    refund instead of a revenue collection.\n\nRESPONSIBILITIES\n\nManagement\xe2\x80\x99s Responsibilities\n\nThe Government Management Reform Act of 1994 (GMRA) requires each Federal agency to report\nannually to Congress on its financial status and any other information needed to fairly present its financial\nposition and results of operations. To meet the GMRA reporting requirements, CCC prepares annual\nconsolidated financial statements.\n\n\n\n\n                                                 4                           Independent Auditors\xe2\x80\x99 Report\n\x0cManagement is responsible for:\n\n\xc2\x84   Preparing the consolidated financial statements in conformity with accounting principles generally\n    accepted in the United States of America;\n\n\xc2\x84   Establishing and maintaining internal controls over financial reporting, preparation of the\n    Management\xe2\x80\x99s Discussion and Analysis (including the performance measures), the required\n    supplementary information, and the required supplementary stewardship information; and\n\n\xc2\x84   Complying with laws and regulations, including FFMIA.\n\nIn fulfilling this responsibility, estimates and judgments by management are required to assess the\nexpected benefits and related costs of internal control policies. Because of inherent limitations in internal\ncontrol, misstatements, due to error or fraud may nevertheless occur and not be detected.\n\nAuditors\xe2\x80\x99 Responsibilities\n\nOur responsibility is to express an opinion on the fiscal year 2002 consolidated financial statements of\nCCC based on our audit. We conducted our audit in accordance with auditing standards generally\naccepted in the United States of America, the standards applicable to financial audits contained in\nGovernment Auditing Standards and OMB Bulletin No. 01-02. Those standards and OMB Bulletin No.\n01-02 require that we plan and perform the audit to obtain reasonable assurance about whether the\nconsolidated financial statements are free of material misstatement.\n\nAn audit includes:\n\n\xc2\x84   Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n    financial statements;\n\n\xc2\x84   Assessing the accounting principles used and significant estimates made by management; and\n\n\xc2\x84   Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audit provides a reasonable basis for our opinion.\n\nIn planning and performing our fiscal year 2002 audit, we considered CCC\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of CCC\xe2\x80\x99s internal control, determining whether internal\ncontrols had been placed in operation, assessing control risk, and performing tests of controls in order to\ndetermine our auditing procedures for the purpose of expressing our opinion on the financial statements.\nWe limited our internal control testing to those controls necessary to achieve the objectives described in\nOMB Bulletin No. 01-02 and Government Auditing Standards. We did not test all internal controls\nrelevant to operating objectives as broadly defined by FMFIA. The objective of our audit was not to\nprovide assurance on internal control over financial reporting. Consequently, we do not provide an\nopinion thereon.\n\nAs required by OMB Bulletin No. 01-02, we considered CCC\xe2\x80\x99s internal control over required\nsupplementary stewardship information by obtaining an understanding of CCC\xe2\x80\x99s internal control,\ndetermining whether these internal controls had been placed in operation, assessing control risk, and\nperforming tests of controls. Our procedures were not designed to provide assurance on internal control\nover required supplementary stewardship information and, accordingly, we do not provide an opinion\nthereon.\n\n\n                                                 5                           Independent Auditors\xe2\x80\x99 Report\n\x0cAs further required by OMB Bulletin No. 01-02, with respect to internal control related to performance\nmeasures determined by management to be key and reported in the Management\xe2\x80\x99s Discussion and\nAnalysis, we obtained an understanding of the design of significant internal controls relating to the\nexistence and completeness assertions. Our procedures were not designed to provide assurance on internal\ncontrol over performance measures and, accordingly, we do not provide an opinion thereon.\n\nAs part of obtaining reasonable assurance about whether CCC\xe2\x80\x99s fiscal year 2002 consolidated financial\nstatements are free of material misstatement, we performed tests of CCC\xe2\x80\x99s compliance with certain\nprovisions of laws and regulations, noncompliance with which could have a direct and material effect on\nthe determination of consolidated financial statement amounts, and certain provisions of other laws and\nregulations specified in OMB Bulletin No. 01-02, including certain provisions referred to in FFMIA. We\nlimited our tests of compliance to the provisions described in the preceding sentence, and we did not test\ncompliance with all laws and regulations applicable to CCC. Providing an opinion on compliance with\nlaws and regulations was not an objective of our audit and, accordingly, we do not express such an\nopinion.\n\nUnder OMB Bulletin No 01-02 and FFMIA, we are required to report whether CCC\xe2\x80\x99s financial\nmanagement systems substantially comply with (1) Federal financial management systems requirements,\n(2) applicable Federal accounting standards, and (3) the United States Government Standard General\nLedger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA\nSection 803(a) requirements.\n\nDISTRIBUTION\n\nThis report is intended for the information and use of CCC\xe2\x80\x99s management, the USDA Office of the\nInspector General, OMB and the U.S. Congress, and is not intended to be and should not be used by\nanyone other than these specified parties.\n\n\n\n\nDecember 13, 2002\n\n\n\n\n                                                6                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n                                           INTRODUCTION\n\nThe internal control weaknesses discussed in this report, and the Commodity Credit Corporation\xe2\x80\x99s (CCC)\nprogress toward correcting these weaknesses, are discussed in the context of CCC\xe2\x80\x99s existing statutory and\norganizational structure. We recognize that any recommended information technology (IT) control\nenhancements pertaining to CCC operations cannot be implemented solely by CCC, because CCC\napplications are in many cases hosted on systems managed by the United States Department of\nAgriculture (USDA) and the USDA Farm Service Agency (FSA). As a result, several of the IT control\nweaknesses identified in this report will require the combined effort of USDA, FSA/CCC management.\n\nExhibit 1 describes the reportable conditions, all of which are considered to be material weaknesses as of\nand for the year ended September 30, 2002, and our recommendations. CCC management\xe2\x80\x99s response is\npresented in Exhibit 2.\n\n                                      MATERIAL WEAKNESSES\n\nThe material weaknesses in FSA/CCC\xe2\x80\x99s internal control, as of and for the year ended September 30, 2002,\nare summarized below.\n\n1. IMPROVEMENT NEEDED IN INFORMATION SECURITY CONTROLS.\n\nInformation security management is a critical component in protecting sensitive and critical FSA/CCC\ninformation resources and financial data. The citizens of the United States entrust the stewardship of\nFederal government financial resources and assets to government financial and program managers.\nWithout effective information security controls over financial systems and supporting systems, there is\nsubstantial risk that the resources under stewardship may be exposed to unauthorized modification,\ndisclosures, loss, or impairment.\n\nInformation security weaknesses have been identified in FSA/CCC\xe2\x80\x99s processing for several years by the\nUSDA Office of Inspector General (OIG). In response, FSA/CCC has recently undertaken several\ninitiatives to improve its information security program capabilities. For example, during fiscal year 2002,\nFSA/CCC:\n\n\xc2\x84   Performed an Office of Management and Budget (OMB) Circular A-127, Financial Management\n    Systems, self assessment of CORE, the primary FSA/CCC financial system, which identified the need\n    for several improvements, including improvements related to information security;\n\n\xc2\x84   Initiated a system risk assessment process using an automated software tool; and\n\n\xc2\x84   Performed periodic tests of network and system devices to help identify potential vulnerabilities.\n\nThese accomplishments are commendable, but more needs to be done to ensure appropriate levels of\nconfidentiality, integrity, and availability of sensitive and critical information systems and resources.\nSpecifically, we noted several areas, detailed below, where improvements are needed in establishing and\nmaintaining sustainable and repeatable information security controls affecting FSA/CCC\xe2\x80\x99s financial\nsystems environment as well as other sensitive/mission critical systems and processes.\n\n\n\n\n                                                1.1                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\nEntity-wide Information Security Program Management\n\nFSA/CCC lacks a complete information security management program that can be applied to its general\nsupport systems and its various financial systems. Specifically:\n\n\xc2\x84   FSA\xe2\x80\x99s information security risk assessment process needs to be improved. FSA\xe2\x80\x99s current risk\n    assessment policies and practices do not provide for a consistent, agency-wide approach for\n    performing information security risk assessments. Although FSA has had risk assessments performed\n    for some of its systems, several different vendors and processes have been used, leading to some\n    inconsistency in the process and analysis of the findings. Risk assessment is an initial, and critical,\n    step in determining the level of security protections needed for general support systems and computer\n    applications. FSA recognizes it needs to improve in this area, and plans to use more consistent policies\n    and approach for performing future risk assessments. FSA plans to perform risk assessments for 60\n    applications and general support systems by the end of fiscal year 2003.\n\n\xc2\x84   We noted that FSA\xe2\x80\x99s general support system security plans and a sample of specific application\n    security plans do not consistently meet requirements established in Office of Management and Budget\n    (OMB) Circular A-130, Management of Federal Information Resources. For example, the plans did\n    not consistently describe the system/application rules of behavior, and reviews of general support\n    systems and application security controls were not performed for each system within the three year\n    timeframe required by OMB Circular A-130. A contributing factor to this issue is that policies for\n    updating USDA security plans have been under development by the USDA Office of the Chief\n    Information Officer (OCIO). Recently the USDA CIO issued the final policy guidance for the\n    development of security plans, and USDA agencies are now updating security plans to be consistent\n    with the guidance. FSA plans to update all its security plans by June 2003 in accordance with the new\n    USDA OCIO guidance.\n\n    Maintaining consistent and complete security plans is a critical component of an organization\xe2\x80\x99s entity-\n    wide security program. FSA/CCC program managers should rely upon the accuracy and completeness\n    of system security plans to make a determination of whether to accept the security risks associated\n    with organization\xe2\x80\x99s systems. Without complete security plans, security responsibilities and controls\n    may not be adequately documented, leading management to inadvertently rely on security controls\n    that could be insufficient to fully ensure system and resource integrity, confidentiality, and\n    availability.\n\n\xc2\x84   Policies and practices are not in place to ensure the consistent sharing of information between FSA\n    offices regarding terminated employees. This has contributed to terminated employees maintaining\n    access to FSA systems. For example, we reviewed a listing of 83 terminated FSA employees for the\n    period March 23 to August 24, 2002, and found that 23 (28%) still had active FSA system accounts.\n    In addition, periodic employee reinvestigations are not consistently performed. Such efforts are\n    needed to ensure that terminated employees cannot still access FSA systems.\n\n    Protection from unauthorized access by personnel who best understand an organization\xe2\x80\x99s systems is\n    just as important, if not more important, than ensuring protection from hackers/crackers1 who attempt\n    unauthorized access over the Internet. Information security industry information shows that although\n\n1 We define a hacker as a person who tries to break into computer systems, but not for malicious purposes. We\ndefine a cracker as a person who breaks into computer systems for malicious purposes.\n\n\n                                                1.2                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n    external hackers/cracker attempts gain the most media attention, the majority of successful, and most\n    damaging attacks, are performed by personnel who best understand the systems and business\n    processes, such as terminated employees who still have system access.\n\n    The USDA OIG has identified similar weaknesses in prior audits of FSA/CCC internal controls, but\n    this matter has not yet been corrected because the coordination between all necessary FSA offices has\n    not been sufficient to improve the necessary policies and practices.\n\n\xc2\x84   During our audit work at the Vernon County (Missouri); Mississippi County (Missouri); and\n    Lauderdale County (Tennessee) County Offices, we noted the lack of consistent and up to date\n    information security awareness training for county office personnel. While we were able to identify\n    previous security awareness training sessions performed for FSA/CCC Kansas City office personnel,\n    security awareness training for county office personnel was not substantiated. Additionally, we noted\n    that new county office employees were not consistently provided with security training. Although\n    security training for all employees is important, it is especially so for FSA county office personnel, as\n    these personnel initiate many of the transactions supporting the FSA/CCC mission. FSA recognizes\n    that the security training efforts for county office personnel have not been effective, primarily because\n    the training has only consisted of reading materials. During fiscal year 2003 FSA is planning to use an\n    interactive Internet security training program recently made available USDA-wide to improve the\n    training efforts for all FSA employees.\n\n\xc2\x84   A key information security requirement in OMB Circular A-130 relates to the completion and testing\n    of system and application contingency plans. Such efforts are important not only to maintain adequate\n    information security over systems and resources, but also to maintain processing operations during an\n    outage. We identified the following examples where FSA/CCC\xe2\x80\x99s contingency planning efforts need\n    improvement:\n    \xc2\xbe A Continuity of Operations Plan (COOP) specifies the actions necessary to accomplish a smooth\n      transition to an alternative site and resumption of business operations. A COOP consists of two\n      parts: a disaster recovery plan (DRP) developed by the IT function and a Business Resumption\n      Plan (BRP) developed by the core business area. An organization\xe2\x80\x99s contingency planning\n      capabilities are based primarily on the effectiveness of the COOP. FSA/CCC\xe2\x80\x99s COOP was last\n      updated for the Year 2000 contingency planning efforts, and although several aspects of it are still\n      current, other elements of it are not\n    \xc2\xbe During our test work at three county offices: Vernon County (Missouri); Mississippi County\n      (Missouri); and Lauderdale County (Tennessee), we noted that documented and tested\n      contingency plans for the offices were not prepared.\n    \xc2\xbe Results from a recent disaster recovery exercise for the FSA/CCC CORE accounting system, and\n      several key feeder systems, indicated that necessary system data elements were not identified as\n      critical components of the recovery testing effort.\n\n    A contributing factor to these issues is that the policies and practices for consistently updating and\n    maintaining contingency plans need to be improved. FSA/CCC management recognizes this, and plan\n    to complete a revised contingency planning policy by January 2003. After the completion of the\n    policy, FSA/CCC is planning to update the necessary organizational contingency plans.\n\n\n\n\n                                                1.3                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                             Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\nInformation Security Weaknesses with Operating Devices\n\nDuring our testing we noted significant security weaknesses existed on FSA/CCC network and system\ndevices2. The weaknesses resulted from insufficient device password practices and vulnerable operating\nsystem configurations. The identified weaknesses could be exploited by unauthorized personnel to attack\nand penetrate FSA/CCC\xe2\x80\x99s IT environment to ultimately gain access to sensitive financial processing\ndevices and applications. We also noted weaknesses with system password use at county offices and the\nlack of a current remote access policy. Because of the sensitivity of these weaknesses, the details on these\nissues are not included in this report, and were provided directly to the FSA Security Office. Many of\nthese vulnerabilities have been identified by the USDA OIG in prior audits, but have not been fully\naddressed because of weaknesses in policies and practices related to securing IT devices.\n\nThe device vulnerabilities were identified through the use of a combination of commercial security\nassessment tools and freeware software tools available to the public over the Internet. Several of the\nvulnerabilities did not require significant technical expertise to exploit. The device testing that was\nperformed under this audit was: 1) performed under a specific window of time, 2) performed with the\nknowledge of FSA/CCC IT personnel, and 3) halted when a certain level of compromise was obtained.\nHackers/crackers do not operate under such controlled circumstances. If they identify vulnerabilities they\nare free to continue probing organization networks and systems whenever they choose. Many\nhackers/crackers will gain unauthorized access to system and network devices, then wait several days or\nmonths before attempting further access.\n\nConsequently, FSA/CCC should not interpret the security weaknesses identified during this audit only as\na point in time assessment. Rather, FSA/CCC should, as part of the entity-wide security program and risk\nmanagement process, use the results of the audit and the periodic vulnerability scans performed by the\nFSA Security Office, to develop technical guidelines for securing network and system devices. This is\nalso important because any newly implemented network and system devices, or changes to existing\ndevices, can significantly alter the security posture of the organization. In addition, the information\nsecurity community is constantly identifying new vulnerabilities that must be reviewed and considered for\npotential impact on the organization.\n\nRecommendations:\n\nThe above issues significantly reduce the overall information security controls for FSA/CCC\xe2\x80\x99s financial\nsystems processing environment, as well as for other sensitive and mission critical FSA/CCC applications.\nTherefore, we recommend the following actions to improve FSA/CCC\xe2\x80\x99s overall infrastructure security\nenvironment. FSA/CCC management should:\n\n1. Clearly articulate via policy executive management commitment and support for defining and\n   maintaining information security goals and objectives that must be followed by all FSA offices. This\n   is an initial step by management that is needed to establish clear internal control objectives and\n   techniques (e.g., security risk assessment process, use of strong technical security controls, etc.) for\n   maintaining security for its IT environment.\n\n\n\n2 Network devices and software are relevant to an agency\xe2\x80\x99s financial internal control structure because, as guided\nby OMB Circular A-127, a financial system includes any process by which data about financial events is collected or\ntransmitted.\n\n\n                                                   1.4                            Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n2. In concert with USDA guidance and requirements, continue efforts to develop, implement, and\n   monitor an agency-wide information security risk assessment process, to include the completion of\n   the 60 risk assessments planned for FY 2003.\n\n3. Ensure consistency in completion of system security plans, using appropriate Federal and USDA\n   OCIO guidance.\n\n4. Implement enhanced policies and practices regarding removal of system access for terminated\n   employees. It is very important that this issue be addressed not only from a system security\n   perspective, but also from a personnel management perspective. Consequently, FSA\xe2\x80\x99s Security\n   Office, Human Resources Division, and operating unit offices need to work together closely to ensure\n   this issue is addressed.\n\n5. Update existing information security training policies and practices to address the use of enhanced\n   information security training mechanisms, such as the interactive Internet training program planned\n   for fiscal year 2003.\n\n6. Ensure that the planned efforts to update FSA/CCC\xe2\x80\x99s contingency planning policy by January 2003,\n   and the subsequent contingency planning documents, are completed, that critical recovery elements,\n   both data and system related, are addressed in contingency planning strategy, and that the contingency\n   planning strategy is sufficiently tested. These efforts should also include the county office systems\n   and business processes.\n\n7. Ensure immediate resolution to the device security weaknesses communicated during the audit.\n\n8. Use the technical device weaknesses identified during this audit and prior OIG audits, results of FSA\n   Security Office vulnerability scans, and current industry security guidance to develop stronger\n   policies and technical guidelines for securing network and system devices. Communication by\n   executive management regarding adherence to the policies and guidelines, as noted in\n   Recommendation No.1, is a critical step for ensuring compliance.\n\n2. IMPROVEMENT NEEDED IN FINANCIAL SYSTEM FUNCTIONALITY AND RELATED\n   PROCESSES.\n\nMaintaining quality Federal financial management system functionality is critical to increasing the\naccountability of financial and program managers, providing better information for decision-making, and\nincreasing the efficiency and effectiveness of services provided by the Federal government. Proper and\nreliable financial management systems must provide for:\n\n\xc2\x84   Accountability. Inform taxpayers, Congress, and agency personnel in terms they can readily\n    understand, on how the Nation\xe2\x80\x99s tax dollars are spent, and how Federal assets are protected.\n\n\xc2\x84   Efficiency and Effectiveness. Provide efficient and effective service to the Federal agency\xe2\x80\x99s internal\n    and external customers (e.g., individuals, contractors, partnerships, state and local governments, other\n    Federal agencies/organizations, the military, and foreign governments).\n\n\n\n\n                                                1.5                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                       Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n\xc2\x84   Better Decision-Making. Provide to Congress, agency heads and program managers, timely reports\n    linking financial results and program data so that financial and program results of policy and program\n    decisions can be identified, tracked, and forecasted more accurately3.\n\nFFMIA mandates that Federal financial management be advanced by ensuring that Federal financial\nmanagement systems and accounting standards be implemented to provide reliable, consistent disclosure\nof financial data. OMB Circular A-127 sets forth policies for establishing and maintaining Federal\nfinancial management systems in accordance with FFMIA.\n\nWe noted examples where FSA/CCC\xe2\x80\x99s financial systems processing environment could be improved to\nbetter support CCC\xe2\x80\x99s financial processes and comply with FFMIA requirements and OMB A-127 policy\nguidance. Specifically, we noted the following:\n\n\xc2\x84   CCC\xe2\x80\x99s financial accounting consolidation and reporting system, Hyperion, needs to have improved\n    system controls and documentation. Specifically, we noted that:\n    \xc2\xbe System access control management needs improvement. User passwords can be as few as two\n      characters, and the process for adding new users and modifying existing user access levels is not\n      consistently documented. This condition elevates the information security risk for the system, as\n      potential unauthorized users could more easily compromise the system. According to National\n      Institute of Standards and Technology (NIST) guidelines, system passwords should be a minimum\n      of six alpha-numeric characters, and the process for managing user access should be well\n      documented.\n    \xc2\xbe There are limited policies and procedures to support the system. For example, there is no system\n      user\xe2\x80\x99s guide. Should CCC experience employee turnover, the lack of such documents will make\n      the management of the system more difficult and could jeopardize system and financial\n      processing. Also, there are no change management procedures to ensure that any new accounting\n      requirements, software upgrades, or other changes are approved, tested, and implemented in a\n      controlled manner.\n    These controls are important for Hyperion, as the system is used to consolidate and generate CCC\xe2\x80\x99s\n    annual financial statements, and track post year-end close adjusting entries. Consequently, data loss\n    from unauthorized access or system processing issues could negatively impact CCC\xe2\x80\x99s financial\n    reporting process. Contributing factors to these issues include: 1) the lack of a strong entitywide\n    security program, as noted earlier in this report, and 2) the primary focus of the Hyperion\n    implementation being on system functionality, with less of a focus on implementing information\n    security controls and developing supporting system policies and other documentation.\n\n\xc2\x84   As reported in prior years by the OIG, FSA/CCC does not have a collection of financial systems and\n    processes that are capable of fully monitoring and controlling budgetary resources for all programs.\n    For example, as reported by the OIG in its fiscal year 2001 CCC financial audit report, FSA/CCC did\n    not effectively utilize available funds control data to timely suspend the disbursement of 2001 Market\n    Loss Assistance payments prior to exceeding the $4.6 billion limitation. This occurred, in part,\n    because FSA/CCC does not have an integrated system to track and govern the status of obligations\n    and administrative limitations established by legislation or agency policy and is dependent upon\n\n\n3 From the Joint Financial Management Improvement Program (JFMIP) Core Financial System Requirements,\ndated November 2001.\n\n\n                                               1.6                         Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n    manual processes. The use of manual processes and reconciliations to manage budgetary accounts\n    subjects CCC\xe2\x80\x99s overall funds control process to significant control risk.\n\n\xc2\x84   We noted that several FSA/CCC personnel were familiar with CORE financial system processes. In\n    addition, FSA/CCC has strived to establish processes so that accounting personnel have a thorough\n    knowledge of the overall financial process as well as having accountants with specific knowledge in\n    each of the main accounting areas; such as debt management, cash management, and general ledger\n    processing. However, as the OIG has noted in prior year audits, we also noted the need for FSA/CCC\n    accountants to improve their knowledge of financial system and process operations. For example, we\n    noted the need to provide additional training to personnel responsible for posting accounting entries in\n    accordance with the U.S. Government Standard General Ledger (SGL), including the\n    budgetary/proprietary relationships. We also noted that the budgetary entries recorded for cash\n    collections from inventory sales were recorded incorrectly, as the program code used to record\n    collections for certain types of inventory sales posted an expenditure refund (by debiting account 4902\n    Delivered Orders-Obligations Unpaid) instead of a revenue collection (by debiting account 4266\n    Other Actual Business-Type Collections from Non-Federal Sources). As a result of our audit work,\n    CCC posted an adjusting journal entry for over $46.8 million after the general ledger had been closed.\n\n\xc2\x84   Interface controls between feeder systems and CORE can be improved. For example:\n    \xc2\xbe Insufficient system change controls and testing controls with the Processed Commodity Inventory\n      Management System (PCIMS) resulted in approximately $3.5 million in milk product being listed\n      in PCIMS but not in CORE. Upon notification of the condition by the financial audit team,\n      FSA/CCC issued an emergency change request to correct the problem and also began attempting\n      to identify the full extent of the problem and the impacted transactions. Ultimately, the\n      transactions that were impacted were not reentered into CORE, but were accounted for with a\n      summary journal entry. Although the dollar amount is not significant to CCC\xe2\x80\x99s financial\n      statements, the lack of sufficient change controls and testing controls that contributed to this issue\n      elevate concerns with FSA/CCC\xe2\x80\x99s overall system control environment.\n    \xc2\xbe Legacy systems in operation at county offices contribute to financial processing problems. For\n      example, in September 2002, as CCC was performing financial year-end processing, there were\n      significant processing delays caused by the magnitude of data transmitted from county offices to\n      CORE. FSA/CCC is aware of the problems being caused by the legacy county office systems, and\n      is planning to upgrade many county office systems during fiscal year 2003 as part of the Common\n      Computing Environment (CCE) initiative.\n\n\xc2\x84   Because of the financial systems challenges FSA/CCC faces, several of which are noted in this report,\n    during fiscal year 2002 FSA/CCC performed an FFMIA self assessment to identify specific areas of\n    improvement. This assessment highlighted FSA/CCC\xe2\x80\x99s substantial non-compliance with FFMIA in\n    the areas of Federal financial system requirements and Federal accounting standards. Specific areas of\n    improvement noted in the FFMIA self assessment include the need:\n    \xc2\xbe For more complete implementation of various feeder systems interfaces with CORE. For\n      example, needed interface enhancements were noted for the CORE financial system and the\n      General Sales Manager (GSM) system.\n    \xc2\xbe To perform a self assessment for all CCC financial feeder systems to identify areas of\n      improvement.\n\n\n\n\n                                                1.7                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                       Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n    \xc2\xbe To automate the current manual oriented financial accounting entry process with additional\n      system functionality.\n\n    FSA/CCC has developed a corrective action plan to address the identified FFMIA weaknesses, and the\n    plan includes action steps for implementing a new GSM system and related interface to CORE, and\n    implementing an E-Funds control system to help address current manually oriented funds control\n    processes.\n\n\xc2\x84   During fiscal year 2002 FSA/CCC also performed an OMB Circular A-127 self assessment for CCC-\n    CORE. This self assessment effort is commendable, but we noted areas where the assessment process\n    could be enhanced. For example:\n    \xc2\xbe Although the CCC-CORE OMB Circular A-127 self assessment was conducted in accordance\n      with FFMIA checklists provided by the General Accounting Office (GAO), the review was not\n      fully focused on assessing how the CCC-CORE financial system is being operated to support\n      existing CCC financial business processes. In several cases the financial systems review team\n      noted that although CCC-CORE is capable of meeting FFMIA and Joint Financial Management\n      Improvement Program (JFMIP) requirements, CCC does not use the mandatory system\n      capabilities to support existing business processes.\n        For example, the GAO checklist question was as follows: \xe2\x80\x9cdoes the system incorporate both\n        proprietary and budgetary accounts in the system, and maintain the relationships between\n        accounts as described in the SGL?\xe2\x80\x9d CCC answered in the affirmative. However, during recent\n        OIG audits it has been noted that proper budgetary and proprietary accounting relationships were\n        not maintained within CCC-CORE. In addition, CCC acknowledged in its standard operating\n        procedures for its CCC-CORE account analysis that differences do exist between budgetary and\n        proprietary accounts and, in some cases, these differences existed since the inception of CORE.\n        CCC personnel stated that the CCC-CORE system provides for this function, and they are\n        reviewing current business practices to fully incorporate the system functionality. Consequently,\n        the reviews do not provide a fully accurate depiction of the system capabilities as being used by\n        FSA/CCC. Such a review methodology makes it difficult for CCC to adequately plan for\n        additional functionality that is mandatory per FFMIA and JFMIP requirements.\n    \xc2\xbe The CCC-CORE self assessment did not fully address prior year audit findings. For example, in\n      the fiscal year 2001 CCC financial audit report, the OIG noted concerns with the CORE posting\n      models. However, the financial systems review team did not address posting model issues raised\n      by the OIG. Although there are other mechanisms by which CCC tracks prior year OIG findings,\n      such as the monthly Major Management Initiatives report, prior year OIG findings were not\n      specifically addressed in the CCC-CORE OMB Circular A-127 self assessment. This is important\n      to ensure that all relevant financial issues and findings are being addressed by the self assessment\n      reviews.\n    \xc2\xbe The CCC-CORE self assessment, conducted from February 2002 through May 2002, did not take\n      into account the most current applicable system guidance. For example, the review was based on\n      the February 2000 GAO FFMIA checklist, which references the February 1999 JFMIP Core\n      Financial System requirements. However, in November 2001 JFMIP issued an updated version of\n      the Core Financial System requirements. For future reviews, CCC should complement the use of\n      the GAO checklist with any relevant new guidance.\n\n\n\n\n                                               1.8                         Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                       Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n   We noted that these issues occurred because although guidance was established by FSA/CCC for\n   performing the CCC-CORE self assessment, the guidance could be made more specific to encompass\n   the above issues.\n\nRecommendations:\n\nWe recommend that FSA/CCC:\n\n9. Require Hyperion user passwords to have a minimum of six alpha-numeric characters, consistent with\n   OMB Circular A-130 and NIST guidance, and implement a documented policy for managing\n   Hyperion access.\n\n10. Develop and document policies related to the guidance, control, and monitoring of the Hyperion\n    application, such as a system user guide and system change control policies and procedures. This\n    should also include policies and procedures relating to system changes regarding accounting\n    requirements (i.e., changing the mapping of accounts to financial statement line-items).\n\n11. Continue to take steps to provide CORE cross training, sharing of knowledge, and the documentation\n    of key CORE system processes, as recommended by the OIG in its fiscal year 2001 audit report. Such\n    efforts would not only provide additional training and knowledge to staff, but will also help address\n    continuity of knowledge if staff turnover occurs. For example, training efforts could be enhanced in\n    regards to SGL accounting.\n12. Implement improved change control and system testing policies to help prevent future issues similar\n    to the PCIMS processing problem.\n\n13. Continue with plans to implement the CCE initiative to help address financial processing problems\n    caused by legacy county office systems.\n\n14. Continue with plans to implement action items from its FFMIA remediation plan, such as the as\n    implementation of the GSM system and E-Funds control system. As the E-Funds control system is\n    further implemented, FSA/CCC should ensure that JFMIP\xe2\x80\x99s Core Financial Management System\n    Requirements, especially those related to funds management, are applied to the system. If the E-Funds\n    control system is further delayed, FSA/CCC should explore other methods to implement integrated\n    system controls to ensure that the total of disbursements made and obligations incurred do not exceed\n    the applicable legislative or agency funding authority at the time a transaction is recorded. The\n    controls should ensure that responsibility for authorizing transactions is well documented and proper\n    accountability for obligation and disbursement transactions is maintained.\n\n15. Ensure that future financial system reviews are based on the actual capabilities of the systems under\n    review, taking into account existing CCC business processes. The reviews should also be designed to\n    take into account steps to address prior year audit findings, including any remaining CORE posting\n    model issues, and be based on the most current information available.\n\n\n\n\n                                              1.9                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                        Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n3. IMPROVEMENT NEEDED IN FUNDS CONTROL MECHANISMS.\n\nAs reported in prior years, FSA/CCC does not have a collection of financial systems and processes that\nare capable of fully monitoring and controlling budgetary resources for all programs at the transaction\nlevel. As reported by the USDA OIG in its fiscal year 2001 report, FSA/CCC did not effectively utilize\navailable funds control data to timely suspend the disbursement of 2001 Market Loss Assistance payment\nprior to exceeding the $4.6 billion limitation. This occurred, in part, because FSA/CCC does not have an\nintegrated system to track and govern the status of obligations and administrative limitations established\nby legislation or agency policy and is dependent upon manual processes.\n\nDuring fiscal year 2002, FSA/CCC took action to improve this process, however, many reports are\nprepared manually because the data sources exist in several different systems which are not interfaced.\nFor example, FSA/CCC:\n\n\xc2\x84   Developed a manually prepared daily funds tracking report for review by program and agency\n    managers. As new programs are funded, they are included in the report and released to program\n    managers on a weekly basis.\n    In relation to this funds tracking mechanism, CCC developed and implemented an authorized payment\n    process for National Program managers to use to authorize payments when funds are within 15\n    percent of the budget threshold. This authorized payment process is implemented for any program that\n    reaches the 15 percent threshold and still has payments due. It allows program managers to\n    specifically identify where the remaining funds are being expended; and to monitor payments to\n    ensure funds are not disbursed in excess of legislative or agency limitations.\n\n\xc2\x84   Utilized a manual tracking report for reimbursable agreements that monitors disbursements against\n    apportionments in order to determine funds are not disbursed in excess of the related apportionments.\n\n\xc2\x84   Developed user requirements for an E-Funds control system and planned to implement the system by\n    the end of fiscal year 2002. However, the system implementation was delayed due to other priorities.\n    The first phase of the implementation was completed in November 2002, and the full implementation\n    is scheduled for later in fiscal year 2003. The E-Funds control system, as currently designed, plans to\n    offer functionality with regards to funds allocation, allotment, and management. The E-Funds control\n    system is also designed to include security features to ensure that accountability for obligation and\n    disbursement transactions is maintained.\n\nFSA/CCC is currently managing funds control for all programs with manual analysis and reconciliation,\nmeant to partially mitigate the risks associated with the lack of an integrated obligating system. However,\nthe use of manual processes and reconciliations subjects CCC\xe2\x80\x99s overall funds control objective to\nsignificant control risk.\n\nFunds control is a vital component of any Federal government operation. It requires that an obligation be\nrecorded prior to disbursement of funds. When a disbursement is processed the systems\xe2\x80\x99 funds control\nfunction will compare the amount to be disbursed to the remaining amount of the obligation to ensure\nfunds remain available. Only when funds remain available will funds be disbursed. In addition, the Anti-\nDeficiency Act provides, in part, that an office or employee of the United States Government may not (a)\nmake or authorize an expenditure or obligation exceeding an amount available in an appropriation or fund\nfor the expenditure or obligation; (b) involve the government in a contract or obligation for the payment\nof money before an appropriation is made unless authorized by law. Section 1517a.2., of this Act further\n\n\n                                               1.10                         Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\nprovides that an agency may not exceed the available amount of an administrative subdivision officially\ndirected by the agency.\n\nIn accordance with part 4 of OMB Circular A-11, the purpose of funds control is to:\n\n\xc2\x84   Restrict both obligations and expenditures from each appropriation or fund account to the lower of the\n    amount apportioned by OMB or the amount available for obligation and/or expenditure in the\n    appropriation or fund account.\n\n\xc2\x84   Enable CCC\xe2\x80\x99s management to identify the person responsible for any obligation or expenditure\n    exceeding the amount available in the appropriation or fund account, the OMB apportionment or\n    reapportionment, the allotments of sub-allotments made by CCC, and statutory limitations, and any\n    other administrative sub-division of funds made by CCC.\n\nIn addition, the Joint Financial Management Improvement Program (JFMIP) Core Financial System\nRequirements, dated November 2001, require agency core financial systems to support the budget\nexecution process by:\n\n\xc2\x84   Providing the capability to compare actual amounts (e.g., commitments and obligations) against the\n    original and revised budgeted amounts consistent with each financial planning level;\n\n\xc2\x84   Providing the ability to manage and control prior year funds in the current year, including the\n    capability to identify prior year and current year de-obligations separately;\n\n\xc2\x84   Providing control features that ensure that the amounts reflected in the fund control structure agree\n    with the related general ledger account balances at the end of each update cycle; and\n\n\xc2\x84   Verifying that funds distributed do not exceed the amount of funds available for allotment or sub-\n    allotment at each distribution level.\n\nTherefore, an agency must have an automated funds control system to monitor and control the entire\nprocess. Such control mechanisms must account for all apportionments/appropriations for each\nprogram/fund as well as the related allotments, obligations and disbursements.\n\nRecommendation:\n\n16. We recommend that FSA/CCC continue with plans to implement the E-Funds control system. As the\n    E-Funds control system is further designed and planned, FSA/CCC should ensure that JFMIP\xe2\x80\x99s Core\n    Financial Management System Requirements, especially those related to funds management, are\n    applied to the system. If the E-Funds control system is further delayed, FSA/CCC should explore\n    other methods to implement integrated system controls to ensure that the total of disbursements made\n    and obligations incurred do not exceed the applicable legislative or agency funding authority at the\n    time a transaction occurs. The controls should ensure that responsibility for authorizing transactions is\n    well documented and proper accountability for obligation and disbursement transactions is\n    maintained.\n\n\n\n\n                                               1.11                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                       Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n4. IMPROVEMENT NEEDED IN FINANCIAL ACCOUNTING AND REPORTING POLICIES\n   AND PROCEDURES.\n\nAlthough FSA/CCC has taken steps to reduce the number of post closing entries, we noted that numerous\nadjustments were made to the consolidated financial statements after the general ledger was closed for\nfiscal year 2002. As the OIG reported in prior years, CCC\xe2\x80\x99s financial accounting and reporting policies\nand procedures should be strengthened to ensure that errors are prevented or identified and corrected\nduring the fiscal year. During our audit, we noted the following:\n\n\xc2\x84   CCC\xe2\x80\x99s current policy for recording liabilities for commodity acquisition is based on receipt of\n    invoices, rather than receipt of the commodity inventory. We noted that CCC did not accrue liabilities\n    at year-end for grain commodities purchased and received prior to year-end. Also, no accrual entry\n    was recorded for processed commodities purchased and received prior to year-end if the invoices were\n    not received. During our audit, we noted that the related accruals for commodities purchased should\n    have been recorded as follows at September 30, 2002:\n    \xc2\xbe The accrual for grain commodities purchased should have been approximately $53 million.\n      Further, related donation expenses for the Section 416 donations and the P.L. 480 sales/donations\n      were understated by $26.2 and $26.8 million respectively. We also noted that during fiscal year\n      2002, CCC recorded approximately $31 million for grain commodities purchased and received in\n      fiscal year 2001.\n    \xc2\xbe The accrual for processed commodities should have been approximately $36.1 million. As a\n      result, inventory, donation expenses for the Section 416 donations, and the P.L. 480\n      sales/donations were understated by $7.6, $13.8, and $14.7 million, respectively. We also noted\n      that during fiscal year 2002, CCC recorded approximately $52 million for processed commodities\n      purchased and received in fiscal year 2001.\n    As a result of our audit, CCC recorded an adjustment, after the general ledger was closed, to properly\n    recognize $89.1 million as a liability for commodities payable and the related effect on inventory and\n    expenses at September 30, 2002.\n\n\xc2\x84   CCC needs to correct certain transaction posting models, as follows:\n    \xc2\xbe The budgetary entries recorded for cash collections from inventory sales were recorded\n      incorrectly, because the program code used to record collections for certain types of inventory\n      sales posted an expenditure refund (by debiting account 4902 Delivered Orders-Obligations Paid)\n      instead of a revenue collection (by debiting account 4266 Other Actual Business-Type Collections\n      from Non-Federal Sources). As a result, CCC\xe2\x80\x99s obligations incurred and spending authority from\n      offsetting collections on its Statement of Budgetary Resources were understated. CCC posted an\n      adjusting journal entry, after the general ledger was closed, for over $46.8 million.\n    \xc2\xbe CCC did not record obligation entries for open contracts with undelivered orders in its general\n      ledger for inventory purchasing activities. As a result of our audit, CCC posted an adjusting\n      journal entry, after the general ledger was closed, for undelivered orders on open grain and\n      processed commodity contracts for approximately $130 million and $24 million at September 30,\n      2002 and 2001, respectively, and increased the obligations incurred in the Statement of Budgetary\n      Resources by $106 million.\n\n\n\n\n                                              1.12                         Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                       Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n\xc2\x84   Although reconciliations were being performed between the subsidiary systems and the CORE general\n    ledger, we noted that the current procedures are not effective to ensure that reconciling items\n    identified were appropriately followed up and cleared on a timely basis. Specifically, we noted the\n    following:\n    \xc2\xbe The reconciliations of the Grain Inventory Management System (GIMS) to CORE included\n      several carry-forward reconciling items related to warehouse-stored local sales that had occurred\n      primarily during fiscal year 1999. The warehouse-stored local sales transactions were not posted\n      in CORE at the time they occurred due to SCOAP capacity limitations when the system was\n      initially implemented in 1999. Some of these transactions were manually recorded in CORE upon\n      the receipt of the source documentation from the County Offices (Cos). However, due to\n      inadequate documentation from the Cos, not all of the sales transactions were recorded as of\n      September 30, 2002. As a result of our audit, CCC recorded an adjusting entry for these\n      transactions, after the general ledger was closed, which accounted for $4.2 million in sales\n      revenue, $5.3 million in cost of goods sold, and $1.1 million in realized losses from\n      appropriations.\n    \xc2\xbe The PCIMS to CORE reconciliation informal policy allows for a \xe2\x80\x98reasonable\xe2\x80\x99 variance between\n      the general ledger quantities and the quantities recorded in the subsidiary system. However, no\n      official threshold guidelines were established. Consequently, there is a lack of consistency in the\n      degree of precision used in preparing the PCIMS to CORE reconciliation and potential material\n      differences could go undetected and uncorrected. During our audit, we noted that an unreconciled\n      difference of $18.6 million on the December 31, 2001 milk reconciliation was not investigated by\n      CCC because it was not considered material. This difference was cleared in January 2002.\n\n\xc2\x84   CCC\xe2\x80\x99s policies for calculating the allowance for losses against commodity inventories and commodity\n    loans should be reviewed. Specifically, we noted the following:\n    \xc2\xbe CCC does not maintain policies and procedures describing the theory, assumptions, methods, and\n      source data used to forecast realizable unit values for the outstanding direct commodity loans and\n      inventory on hand. CCC economists were unable to provide model outputs or other\n      documentation in support of the forecasted amounts utilized in calculating the allowance for loan\n      and inventory losses at September 30, 2002. Further, there is no documentation to indicate the\n      method of loan redemption (i.e., via forfeiture, repayment at principal and interest, or repayment\n      at the market value). Therefore, it was necessary for us to hold numerous meetings with CCC\xe2\x80\x99s\n      economists to obtain sufficient substantive information with which to gain an understanding of the\n      basis for the economic assumptions used by CCC management to calculate the loss reserves.\n    \xc2\xbe The estimated unit rates used in the calculation of the allowance for inventory and loan losses are\n      often based on the mid-point of a price range forecasted by the Interagency Commodity Estimate\n      Committee (ICEC). Given the volatility of agricultural commodity prices and the difficulties\n      inherent in economic predictions, it is expected that commodity prices will often fall below the\n      mid-point of the range forecasted by ICEC, therefore, the dollar impact could vary significantly\n      from year to year.\n    \xc2\xbe The form regularly e-mailed to the economists and commodity experts to collect their forecasts of\n      unit rates should be reviewed. Confusion results from the form\xe2\x80\x99s content, incorrect labeling, and\n      insufficient direction. During our audit, we noted that the economists and commodity experts\n      responsible for developing unit rates were not aware of the purpose for which they were providing\n      this information to the Financial Management Division (FMD). Further, although most of them\n      were familiar with the estimates in the August 31, 2002 \xe2\x80\x98Estimated Losses Relating to\n\n\n                                              1.13                         Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n        Inventories\xe2\x80\x99 and \xe2\x80\x98Estimated Losses Relating to Commodity Loans\xe2\x80\x99 worksheets, they were not\n        familiar with the unit rates utilized in the allowance calculation at September 30, 2002.\n\nAs a result of our audit, CCC recorded an adjustment, after the general ledger was closed, to increase the\nallowance for losses against commodity inventories and loans by $648 million and $18 million,\nrespectively, in order to bring CCC\xe2\x80\x99s inventory and commodity loan balances to the audited estimated net\nrealizable value.\n\n\xc2\x84   CCC\xe2\x80\x99s policy for monitoring receivables should be improved to ensure that delinquent debts are\n    closely monitored to ensure compliance with the Debt Collections Improvement Act of 1996. As\n    reported by the USDA OIG in its fiscal year 2001 report, FSA/CCC was not in substantial compliance\n    with one provision of DCIA, and receivables older than 60 days were not always converted by the\n    field office personnel to claim status and reported to FSA/CCC\xe2\x80\x99s centralized debt servicing system.\n    During our audit, we noted that field office personnel did not comply with the timeliness requirements\n    for following up on outstanding debts as follows:\n    \xc2\xbe   For 35 of the 68 claims reviewed, notification or demand letters were not sent within the time\n        frame established by FSA/CCC policy. DCIA requires that proper due process be given a debtor\n        prior to referral to Treasury for cross-servicing or the offset program.\n    \xc2\xbe   For 9 of the 68 claims reviewed, we noted that receivables older than 60 days were not converted\n        to claims status. At September 30, 2002, we noted that CCC had more than 8,400 receivables for\n        over $25 million older than 60 days that were not converted to claim status.\n    \xc2\xbe   For 10 of the 96 claims reviewed, we noted proper due process was not performed by field office\n        personnel to ensure that eligible delinquent debts were transferred to Treasury for cross-servicing.\n        At September 30, 2002, we noted that approximately 3,829 receivable balances, totaling\n        approximately $17.6 million, were over 180 days past due and could be subject to immediate\n        referral to Treasury for cross-servicing or the offset program if they were converted to claim\n        status, and determined eligible.\n\n\xc2\x84   CCC\xe2\x80\x99s policy for recording liabilities on producer payment programs should be formalized and\n    documented in a policies and procedures manual. During our audit, we noted that there was no\n    documentation prepared by CCC to identify which programs required accruals at September 30, 2002.\n    As a result of our audit, CCC recorded the following adjusting entries, after the general ledger was\n    closed:\n    \xc2\xbe $155 million of annual rental payments for Conservation Reserve Programs to be disbursed to\n      eligible producers who were enrolled in the program prior to September 30, 2002.\n    \xc2\xbe $34 million of Loan Deficiency Payments disbursed in fiscal year 2003, but approved in fiscal\n      year 2002;\n    \xc2\xbe $75 million of Apple Market Loss Assistance Program disbursements made in fiscal year 2003 to\n      eligible program participants enrolled in fiscal year 2002;\n    \xc2\xbe $15 million of payments made in fiscal year 2003 under the Bioenergy Program for production\n      levels that the companies achieved during the 4th quarter of fiscal year 2002.\n\n\n\n\n                                               1.14                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                           Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\nRecommendations:\n\nWe recommend that FSA/CCC:\n\n17. Revise its liability recognition policy to record liabilities for commodities purchased on the same date\n    the commodities are received, to ensure that all liabilities are recorded in the proper period.\n\n18. Review and revise the general ledger posting logic, where necessary, to ensure that all required\n    budgetary entries are posted correctly when the corresponding proprietary entries are made.\n\n19. Continue to investigate and resolve differences identified on the reconciliations between the feeder\n    systems and CORE in a timely manner. Once the cause is identified, applicable adjustments should be\n    promptly recorded in the CORE general ledger, supporting documentation should be maintained for\n    all adjustments made, and the cause should be rectified to prevent further errors.\n\n20. Formalize its PCIMS reconciliation policy to include a threshold for resolving differences identified\n    between the CORE general ledger quantities and the quantities recorded in PCIMS.\n\n21. Compile documentation describing the theory, assumptions, methods, and data used to forecast\n    expected dispositions and realizable unit rates for the outstanding direct commodity loans and\n    inventory. Additionally, we recommend that economists retain for their records calculations, model\n    output, and notes that explain their methodology and forecasts.\n\n22. Evaluate the risk of using mid-point estimates, as it relates to CCC\xe2\x80\x99s financial integrity and to the\n    reliability of its financial statements. If unexpected losses and forfeitures are significant, we\n    recommend that CCC implement more conservative estimation routines, including the use of the low\n    end of the estimated price range.\n\n23. Review the form and content of the document e-mailed to the economists for obtaining their\n    estimates, to determine if it fulfills its purpose effectively. Units and unit labels should be specified on\n    the form. Further, the form should be accompanied with an explanatory note, which documents the\n    nature and purpose of the request. The directions provided by FMD should draw the economist\xe2\x80\x99s\n    attention to the sections and fields requiring their attention. Additionally, the economists and\n    commodity experts should provide updated unit rate estimates in early October before the fiscal year\n    estimates are finalized. Further, we recommend that the economists, commodity experts, and their\n    supervisors review the unit rates prior to submission to FMD to ensure that the process is understood\n    and the rates are reasonable.\n\n24. Reports should be generated to identify which delinquent receivables have not been sent a demand\n    letter on a monthly basis to ensure proper notification is provided to the producers, and identify which\n    balances are eligible to be transferred to claim status or to Treasury for cross-servicing or the offset\n    program. In addition, the policy should be revised to ensure that these reports are reviewed on a\n    timely basis by senior management to ensure that the field offices are following CCC\xe2\x80\x99s policies to\n    ensure compliance with DCIA.\n\n\n\n\n                                                 1.15                           Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n25. Formalize its proprietary and budgetary accounting policies through the development and routine\n    maintenance of a comprehensive policies and procedures manual for all CCC programs that is based\n    on current accounting standards. Additionally, an analysis of programs should be prepared annually to\n    identify which programs require year end activity cut off adjustments (e.g., unrecorded liabilities and\n    undelivered orders).\n\n5. IMPROVEMENT NEEDED IN                     BUDGETARY          ACCOUNTING           AND     REPORTING\n   POLICIES AND PROCEDURES.\n\nDuring fiscal year 2002, FSA/CCC has taken steps to enhance its procedures over the budget execution\nprocess in accordance with OMB and U.S. Treasury requirements based on recommendations from the\nOIG, however significant control weaknesses remain. Throughout the fiscal year, CCC must be able to\nensure through its internal control policies and procedures that the status of its budgetary resources is\nproperly recorded in the general ledger (e.g., CORE) and reported to OMB on a quarterly and year-end\nbasis. In addition, these policies must ensure that the status of budgetary resources is properly reported in\nthe Combined Statement of Budgetary Resources and the related notes to the consolidated financial\nstatements. The results of our audit procedures for the budget execution process indicate that procedures\nmust be improved for CCC to ensure that accurate, complete and timely budgetary accounting entries are\nmade, and that the year end status of budgetary resources are accurately reported. During our audit, we\nnoted the following:\n\n\xc2\x84   Based on recommendations arising from the OIG\xe2\x80\x99s fiscal year 2001 audit, CCC developed and\n    implemented a monthly budgetary to proprietary reconciliation process beginning in February 2002,\n    designed to ensure that all budgetary and proprietary transactions are properly and timely recorded.\n    These reconciliation processes are based on U.S. Treasury guidance and CCC is performing the\n    reconciliations on a monthly basis. However, CCC does not consistently perform timely follow up to\n    correct the causes of the differences noted and make the necessary adjustments to the general ledger.\n    For example, we reviewed reconciliations for the months of March, June and July 2002, and noted\n    total differences between budgetary and proprietary cash, advances and accounts payable accounts\n    totaling $125 million, $926 million and $1.4 billion, for those months respectively, which were\n    subsequently corrected during the year end closing process. The lack of timely follow up increases the\n    risk that year end budgetary balances will not be properly adjusted and reported in the combined\n    statement of budgetary resources. The lack of timely corrections also increases the risk that balances\n    reported to OMB on a quarterly basis through the SF-133 reporting process are not properly stated. In\n    addition, untimely follow up can also cause difficulties for the CCC accounting staff during the\n    closing process because correcting entries are not made timely, the CCC must review and approve not\n    only adjustments arising during the normal course of closing the general ledger, but also adjustments\n    arising from interim period activity.\n\n\xc2\x84   We noted that CCC\xe2\x80\x99s undelivered orders (UDOs) balances were primarily supported by\n    documentation provided by program offices as a result of CCC Kansas City Finance Office (KCFO)\n    information requests at September 30, 2002. Certain of this documentation suggested that the program\n    offices were not fully versed on the accounting requirements for recording unliquidated obligations.\n    Therefore, we requested that CCC management develop estimates of its fiscal year end 2002 and 2001\n    UDO balances based on subsequent payment activity. As a result of performing the above audit\n    procedures related to the 2002 and 2001 balances, it was necessary for CCC to make a downward\n    adjustment to its UDO balances of more than $325 million.\n\n\n\n\n                                               1.16                          Independent Auditors\xe2\x80\x99 Report\n\x0c                                                                         Exhibit 1 \xe2\x80\x93 Material Weaknesses\n\n\n\n\n\xc2\x84   During our internal control test work on the budget execution process, we noted that 9 of 21\n    apportionments/reapportionment schedules (SF-132\xe2\x80\x99s) selected for testing were either erroneously\n    recorded, not recorded, or recorded more than one month subsequent to the OMB approval date. The\n    untimely or erroneous recording of apportionments increases the risk of inaccurate presentation and\n    disclosure of budgetary resources and status of budgetary resources in the financial statements. In\n    addition, if apportionments are not recorded timely, it makes it more difficult to track the status of\n    budgeted resources and maintain funds control. Apportionments were not recorded timely due to:\n    \xc2\xbe Delays in receiving the Accounting Requirements Memo from the Financial Management\n      Division-Financial Systems and Procedures Branch (FMD-FSPB) or in updating the CORE tables\n      by Financial Analysis Division-General Ledger Control Branch (FAD-GLCB);\n    \xc2\xbe Receipt by the Financial Accounting Division, Financial Analysis and Reporting Branch (FAD-\n      FARB) of SF-132s from Budget, Programs Branch (BUD-CPB), more than one month subsequent\n      to OMB\xe2\x80\x99s approval date; or\n    \xc2\xbe Detailed reviews and reconciliations of apportionment transactions not being adequately\n      performed to ensure that these transactions were recorded in the proper period.\n\nRecommendations:\n\nWe recommend that FSA/CCC:\n\n26. Continue to perform monthly reconciliations between its proprietary and budgetary accounts based on\n    written procedures. However, in addition to the current practice, CCC should begin to perform timely\n    follow-up on inconsistent or abnormal budgetary to proprietary relationships found during the review\n    process to ensure the balances are properly adjusted and are an accurate reflection of current financial\n    events.\n\n27. Should enhance its CORE system capabilities as soon as is practical to record obligations as incurred\n    and manage funds control edits at the transaction level. In the interim however, CCC should develop\n    entity-wide polices and procedures for management to perform adequate review of all obligations,\n    which will help to ensure that balances are accurately and timely adjusted on a monthly basis. The\n    process should provide for central management control and review, to ensure adequate support for\n    recorded amounts exists and that sufficient consideration is given to the legitimacy of unliquidated\n    obligation amounts.\n\n28. Enhance policies and procedures to ensure that a more thorough management review is performed of\n    monthly adjustments to account balances and to assist department staff in recording apportionments in\n    a timely manner. Changes in current policies should address the reasons documents are not processed\n    timely or internal accounting guidance is not developed and issued on a timely basis by the\n    responsible CCC departments. In addition, to provide management with the ability to monitor\n    progress in this area, CCC should develop a system to track apportionments from the time they are\n    received, to ensure timely recording of the budget authority.\n\n29. Re-assess the roles and responsibilities of each branch office involved with the budget execution\n    process, to ensure that appropriate resources and tools are available to timely achieve the budget\n    execution reporting objectives established by management and authoritative guidance.\n\n\n\n\n                                               1.17                          Independent Auditors\xe2\x80\x99 Report\n\x0c\x0cCONSOLIDATED FINANCIAL STATEMENTS\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'